Security

Security

Tagmap takes security seriously and follows the best security practices where possible.


Security Bugs

If you have found a bug please send an email to security@ this domain (or use our feedback form) with information on how to reproduce it and why it poses a security risk.

If your bug matches our critera for security-critical status you may have your name added to this page as our way of saying thanks. Severe bugs may be eligible for a financial (USD) reward as well, depending on their severity and feasibility, although this is at our own discretion, and no guarantees are made.


Guidelines for security researchers

If you are a security researcher and intend to responsibly report any issues to us via the above method, please be respectful and follow common standards when using our services. If you create an account for the purpose of security research, please start its username with 'securitytest'. Do not engage in activities that could harm Tagmap or any of its users, including the deletion of data, accessing private user data, DDoS attacks, spamming, etc. The ability to quickly create many accounts, tags, or messages (spamming) or to otherwise disrupt user experience is not considered a security bug, so please be kind and ensure your actions do no harm before proceeding. The ability to perform client-side XSS (Self-XSS) is also not considered a bug; you must be able to force a different user's browser to execute untrusted Javascript in order for this to be a security bug. The use of automated vulnerability scanners is also prohibited.


Additional information

Tagmap is hosted using Amazon AWS. All user data is protected in-transit by strong encryption (TLS/HTTPS) using best practices (secure ciphers with HSTS and insecure connections disallowed). Confidential user information such as passwords are hashed securely using bcrypt. Many other industry-standard security practices are in use such as two-factor authentication for administration, whitelisted firewalling, isolation/seperation of priviliges, etc.


Publicity of account information

Keep in mind that all information added to your profile is public (excluding email, password, and with locations shown as approximations) unless otherwise specified (such as by setting your profile visibility to hidden). Only add information that you are okay with being made public. If you are concerned about the publicity of your location, please ensure your location is set a comfortable distance away from where you live, such as several miles away.